Business Associate Agreement

Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient information, including name, date of birth, and social security number was viewable on the website of ACH’s medical billing vendor, and reported to ACH by a local hospital in 2014.

To add insult (and another alleged HIPAA violation) to injury, according to the HHS Press Release, ACH did not have a business associate agreement (BAA) in place with the vendor, Doctor’s First Choice Billings, Inc. (First Choice), during the period when medical billing services were rendered (an 8-month period running from November of 2011 to June of 2012). Based on the HHS Press Release, it appears that ACH only scrambled to sign a BAA with First Choice in 2014, likely after learning of the website issue. In addition, according to the HHS Press Release, the person hired by ACH to provide the medical billing services used “First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.”

These allegations are head-spinning, starting with those implicating the “should’ve-been” business associate. First, how does a medical billing company allow an employee or any other individual access to its website without its knowledge or permission? Next, shouldn’t someone at First Choice have noticed that an unauthorized person was posting information on its website back in 2011-2012, or at some point prior to its discovery by an unrelated third party in 2014? Finally, how does a medical billing company (a company that should know, certainly by late 2011, that it’s most likely acting a business associate when it performs medical billing services), not realize that individually identifiable health information and social security numbers are viewable on its website by outsiders?

ACH’s apparent lackadaisical attitude about its HIPAA obligations is equally stunning. What health care provider engaged in electronic billing was not aware of the need to have a BAA in place with a medical billing vendor in 2011? While the Omnibus Rule wasn’t published until January of 2013 (at which point ACH had another chance to recognize its need for a BAA with First Choice), HHS has been publishing FAQs addressing all kinds of business associate-related issues and requirements since 2002.

It seems pretty obvious that ACH should have had a BAA with First Choice, but, in many instances, having a BAA is neither required by HIPAA nor prudent from the perspective of the covered entity. A BAA generally is not necessary if protected health information is not created, received, maintained or transmitted by or to the vendor in connection with the provision of services on behalf of a covered entity, business associate, or subcontractor, and having one in place may backfire. Consider the following scenario:

*          Health Plan (HP), thinking it is acting out of an abundance of HIPAA caution, requires all of its vendors to sign BAAs.

*          Small Law Firm (SLF) provides legal advice to HP, but does not create, receive, maintain or transmit protected health information in connection with the services it provides on behalf of HP.

*          However, SLF signs HP’s BAA at HP’s request and because SLF thinks it might, at some point, expand the scope of legal services it provides to HP to include matters that require it to receive protected health information from HP.

*          SLF suffers a ransomware attack that results in some of its data being encrypted, including data received from HP. It reviews HHS’s fact sheet on Ransomware and HIPAA, and realizes that a HIPAA breach may have occurred, since it cannot rule out the possibility that it received protected health information from HP at some point after it signed the BAA and prior to the attack.

*          SLF reports the attack to HP as per the BAA. Neither SLF nor HP can rule out the possibility that protected health information of individuals covered by HP was received by SLF at some point and affected by the attack.

HP is now in the position of having to provide breach notifications to individuals and HHS. Had it been more circumspect at the outset, deciding it would only ask SLF to sign a BAA if/when SLF needed protected health information in order to provide legal services on behalf of HP, it may have avoided these HIPAA implications completely.

So while it seems stunning that a health care provider entity such as ACH would have neglected to sign a BAA with First Choice before 2014, having a BAA in place when it is not necessary can create its own problems. Better to constantly ask (and carefully consider): to BAA or not to BAA?

Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors.  This settlement has implications for both service providers and their covered entity clients.  Fox Rothschild partners Elizabeth Litten and Michael Kline were quoted in an article by Marla Durben Hirsch entitled “Be prepared for HIPAA Issues if a business associate shuts down” in the August issue of Medical Practice Compliance Alert.

As the HHS press release stated, the consequences for HIPAA violations don’t stop when a business closes.  In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had been abandoned at a shredding facility.   Medical Practice Compliance Alert notes:

This settlement shows that  a provider or business associate that has violated HIPAA can’t avoid the consequences by shutting down.  “OCR is saying that you’re still responsible if you close your doors.” Says attorney Elizabeth Litten with Fox Rothschild in Princeton, NJ.

But it also provides a cautionary tale for providers who work with business associates that go under because providers are ultimately responsible for their patients’ records.

The article suggests the following tips for a covered entity to reduce its risks when a business associate may be in shaky financial shape:

  1. Keep an inventory of your business associate relationships.
  2. Choose business associates carefully.
  3. Monitor your business associates’ compliance with HIPAA.
  4. Expect increased scrutiny if a business associate is already on the government’s radar.
  5. Watch for signs that the business associate may be running into financial trouble.
  6. Don’t sit idly if the business associate files for bankruptcy.

What should a covered entity do when it learns that a business associate may have violated its HIPAA responsibilities?  For starters, see our previous post entitled Ten Tips for Actions by a Covered Entity after a HIPAA Breach by a Business Associate.  And if that BA has ceased operations, be prepared to take control of the situation even if the BA may not have enough resources left to reimburse you for its mistakes. Remember, the buck always stops with the Covered Entity.

Harry S. Truman Library & Museum 2017

You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2 will discuss wellness programs. In both cases, EAPs and wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

As background, the HIPAA Rules apply to “covered entities” and their “business associates.” Health plans and most healthcare providers are “covered entities.” Employers, in their capacity as employers, are not subject to the HIPAA Rules. However, the HIPAA Rules do apply to any “protected health information” (“PHI”) an employer/plan administrator holds on a health plan’s behalf when the employer designs or administers the plan.

Plan administrators and some EAP vendors may not consider EAPs to be group health plans because they do not think of EAPs as providing medical care. Most EAPs, however, do provide medical care. They are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition, including substance abuse and mental health issues. In contrast, an EAP that provides only referrals on the basis of generally available public information, and that is not staffed by health care providers, such as counselors, does not provide medical care and is not subject to the HIPAA Rules.

A self-insured EAP that provides medical care is subject to the HIPAA Rules, and the employer that sponsors and administers the EAP remains responsible for compliance with the HIPAA Rules because it acts on behalf of the plan.   On the other hand, for an EAP that is fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for an insured EAP even though it provides medical care, but only if the employer does not receive PHI from the insurer or only receives summary health information or enrollment/disenrollment information. Even then, the employer needs to ensure it doesn’t retaliate against a participant for exercising their rights under the HIPAA Rules or require waiver of rights under the HIPAA Rules with respect to the EAP.

An EAP that qualifies as an “excepted benefit” for purposes of HIPAA portability and the Affordable Care Act (as is most often the case because the EAP is offered at no cost, eligibility is not conditioned on participation in another plan (such as a major medical plan), benefits aren’t coordinated with another plan, and the EAP does not provide “significant benefits in the nature of medical care”) can be subject to the HIPAA Rules. In other words, just because you’ve determined that your EAP is a HIPAA excepted benefit doesn’t mean the EAP avoids the HIPAA Rules. Most EAPs are HIPAA excepted benefits, yet subject to full compliance with the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured EAP that provides medical care will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for another self-insured group health plan to make them apply to the EAP as well. If the EAP is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance with the HIPAA Rules.

Congratulations!  You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?

There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous “Special Publications” issued by the National Institute of Standards and Technology (NIST)).

These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.

  1. Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
  2. Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties’ HIPAA obligations with respect to particular data being transmitted.
  3. Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
  4. Create a “vault” for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
  5. Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing.  Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations.  For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage?

Data use and confidentiality agreements used outside of the HIPAA context may also include indemnification provisions that are triggered in the event of a privacy or security breach.  Parties to these agreements should take a close look at these “standard” provisions and Michael’s list and proceed carefully before agreeing to indemnify and/or be indemnified by the other party.

 

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document?

Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use the next few weeks to make sure your BAA complies with the law and reflects your business deal.

skeleton
Copyright: clairev / 123RF Stock Photo

HHS published a bare bones sample BAA when the Omnibus Rule came out, and a number of posts to this blog provide tips that can be used in reviewing and updating your BAA.

But don’t forget that a good BAA supports and is supported by the underlying services contract between the parties, and should be the meat on the bones of the BAA and the brain behind it. A perfectly HIPAA-compliant BAA will crumble into dust if it’s not written to reflect and support the services contract and underlying business deal. Here are two key questions to ask to make sure the business deal and BAA are working in synch:

Question 1: Who are the parties to the BAA?

  • What are the roles of the parties under HIPAA? Check definitions and what is being performed by one party “on behalf of” the other.
  • If the business associate is really a subcontractor (because the covered entity is really a business associate or subcontractor itself), does the BAA (or subcontractor agreement (SA)) recognize and describe the privacy and security obligations imposed by the BAA above it? Has such BAA or subcontractor actually reviewed the BAA or SA above it?
  • If both parties are covered entities, does the BAA clearly describe when the business associate is acting as such, and not as its own covered entity?
  • Will the covered entity ever act as a business associate in relation to the other party?

Question 2: What is the business reason for or purpose of the use and/or disclosure of protected health information (PHI)?

  • What is the reason PHI is being created, received, maintained or transmitted on behalf of the covered entity, business associate or subcontractor?
  • Do the parties have reciprocal obligations to abide by privacy and security standards, such as minimum necessary standards?
  • Will the business associate (or subcontractor) have any claim to own, de-identify, aggregate, modify or keep data derived from the PHI that is the subject of the BAA (for example, will the business associate’s activities with respect to the PHI under the BAA produce other data or data sets not subject to or contemplated by the services contract)?

The bottom line? Before the summer fades (and certainly before September 22nd), make sure your BAA meets the Omnibus Rule requirements, but also make sure it reflects and supports your business deal. The bare bones BAA may not be what you want or need.

Michael J. Coco writes:

If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the form of asset purchases, set in motion by executing an asset purchase agreement (“APA”). The APA can be a voluminous document written by the purchaser to protect the purchaser. APAs have been known to cover every conceivable circumstance that may reflect negatively on the purchaser after the acquisition. APAs have been known to cover everything from the seller’s violation of a local ordinance to more serious violations, including violations of federal law. With a novelette of protective provisions, a well-written APA seems to cover everything. But like all legal documents, a typical APA needs to keep up with evolving law and, in the case of health care, the law evolves quickly.

Major and fairly recent changes in healthcare law include the clear requirement under applicable HIPAA provisions for covered entities to have business associate agreements in place and for business associates to have subcontractor agreements in place. Breach notification rules and penalties have also been created or refined under HIPAA. The typical APA requires the seller to represent that it has not violated any law, and often expands this representation to its employees. However, few APAs discuss potential HIPAA breaches by employees, or breaches by business associates. More importantly, there may be no specific representation that the seller has in place all of the appropriate business associate agreements.

Although a good due diligence review should evaluate business associate agreements, the purchaser should consider adding specific business associate agreement and breach representations, along with the corresponding indemnification provisions. Buyers should request copies of all business associate agreements currently in place, as well as any subcontractor agreements. In addition, the buyer should ask a seller to disclose any circumstance in which it discovered a potential breach, but determined the breach was not reportable based on an internal risk assessment conducted by the seller. Because the buyer is ordinarily acquiring the good will of the medical practice as an essential element, a past breach by the seller or the seller’s business associate could seriously reduce the value of the buyer’s investment. For this reason, buyers should consider adding specific breach and business associate representations to their APAs.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]